This is the accessible text file for GAO report number OIG-14-1 entitled 'Financial Management: Additional Actions Needed to Ensure Accountability over Undercover Funds' which was released on May 27, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Office of the Inspector General: U.S. Government Accountability Office: Financial Management: Additional Actions Needed to Ensure Accountability over Undercover Funds: OIG-14-1: Office of Inspector General: U.S. Government Accountability Office: Report Highlights: May 27, 2014: Financial Management: Additional Actions Needed to Ensure Accountability over Undercover Funds: Objective: This report addresses the extent to which GAO has implemented effective controls to ensure accountability of undercover funds primarily spent in fiscal year 2012. What OIG Found: In fiscal year 2012, FAIS used two primary methods to access funds to support its undercover activities: a credit union checking account and undercover charge cards. OIG found no evidence of fraud or waste regarding undercover funds, but did identify areas for improvement in financial management controls. Controls were ineffective in preventing and identifying use of appropriated funds for which the period of availability had expired. As a result, we found that FAIS investigative staff improperly used and retained fiscal year 2011 funds in fiscal years 2012 and 2013. In addition, we identified other conditions that increased the risk for fraud, waste, and mismanagement of FAIS undercover funds, such as undercover purchases occurring prior to requisite management approval and gaps in policies and procedures for ensuring accountability over undercover funds. In response to our audit, FM made accounting adjustments to remedy bona fide need violations and implemented procedures to mitigate future risk, including periodic reviews of controls over FAIS transactions. FAIS has revised its policies and procedures for undercover funds, which are in the final phase of review prior to issuance and intends to train its staff following issuance. What OIG Recommends OIG recommends that the Comptroller General direct the FAIS Managing Director to expeditiously complete efforts to update and implement policies and procedures applicable to safeguarding undercover funds and ensuring compliance with appropriations law, and to train FAIS staff upon completion. Additionally, we recommend the inclusion of FAIS, as the primary office responsible for developing and maintaining GAO’s forensic audit and investigative policies and procedures, in GAO Order 0010.1, Government Accountability Office (GAO) Orders, Operational Directives, and Manuals, to help ensure that FAIS policies and procedures are updated, as needed. GAO and FAIS have taken or initiated actions to address our recommendations. [End of section] Office of the Inspector General: U.S. Government Accountability Office: Memorandum: Date: May 27, 2014: To: Comptroller General Gene L. Dodaro: From: [Signed by] Inspector General Adam R. Trzeciak: Subject: Financial Management: Additional Actions Needed to Ensure Accountability over Undercover Funds: GAO’s Forensic Audits and Investigative Service (FAIS) investigators are authorized to conduct undercover operations and activities [Footnote 1] relating to the detection, prevention, and prosecution of criminal activity involving programs and operations of federal agencies (excluding GAO). In addition, FAIS is authorized to conduct undercover operations and activities to determine vulnerabilities affecting federally funded programs and operations of the United States.[Footnote 2] Undercover activities inherently involve an element of deception. As such, they may require specialized investigative techniques, including the use of assumed identities and funds not traceable to GAO or the government. In fiscal year 2012, FAIS used two primary methods to access funds to support its undercover activities: a credit union checking account and undercover charge cards. Since undercover activities allow the same individual to order, pay for, and receive goods and services, funds associated with these activities are at high risk of fraud, waste, or misuse. Objective, Scope, and Methodology: This report addresses the extent to which GAO has implemented effective controls for ensuring accountability of FAIS undercover funds primarily spent in fiscal year 2012. To achieve our audit objective, we identified and reviewed applicable policies, procedures, professional standards, laws, and regulations. In addition, we interviewed FAIS managers and staff, including the FAIS Director of Investigations, three FAIS investigators, the FAIS quality assurance and operations manager, and the FAIS undercover charge card program coordinator; GAO attorneys knowledgeable of FAIS operations and appropriations law; GAO Financial Management and Business Operations [Footnote 3] staff, including the imprest fund cashier, budget officer for FAIS, the Program Analysis and Operations[Footnote 4] director, and accounting staff; and the Information Systems and Technology Services’ telecommunications manager. We used this approach to gain an understanding of: * FAIS’s internal control design, including existing policies and procedures; * methods FAIS investigators used to access funds to support undercover activities; * the flow of transactions and controls established to help ensure that access to funds was authorized and that the funds were used as intended and in compliance with applicable laws and regulations; and; * the scope of GAO and FAIS management oversight and monitoring activities, including internal reviews and reconciliations, directed toward assessing the sufficiency and effectiveness of FAIS’s internal control design. We reviewed all undercover charge card transactions paid in fiscal year 2012. We also reviewed all financial transactions that occurred between September 2011 and May 2013 related to GAO disbursements supporting two FAIS investigations.[Footnote 5] We used GAO’s Standards for Internal Control in the Federal Government,[Footnote 6] the GAO Policy Manual,[Footnote 7] FAIS policies and procedures,[Footnote 8] and the Council of the Inspectors General on Integrity and Efficiency’s (CIGIE) Quality Standards for Investigations,[Footnote 9] as applicable, to analyze FAIS’s methods of accessing funds for undercover activities, review individual transactions, and determine whether FAIS had established an effective internal control environment (including defined policies and procedures and corresponding control activities to achieve operational, reporting, and compliance objectives). We conducted this performance audit from June 2013 through May 2014 in accordance with generally accepted government auditing standards (GAGAS), except for the quality control and assurance standard requiring an external peer review of our audit organization every three years. This exception did not affect the planning or performance of our audit. The Office of Inspector General is scheduled for a peer review in fiscal year 2015. GAGAS requires that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Background: FAIS provides the Congress with forensic audits; investigations of fraud, waste, and abuse; evaluations of security vulnerabilities; and other investigative services as part of its own assignments or in support of other GAO audit teams. As of March 2014, FAIS had 53 employees that included analysts, investigators, and other staff. GAO policy and relevant directives[Footnote 10] require that FAIS have an internal control environment consistent with GAO’s Standards for Internal Control in the Federal Government. Such a control environment would provide reasonable assurance that GAO resources are protected by ensuring that undercover funds are used consistent with objectives as outlined in the applicable investigative plan. GAO has a long-established requirement that executive-level GAO officials approve undercover operations prior to their initiation, though the approving official has varied over time. At the time of our review, GAO required the FAIS Oversight Board[Footnote 11] to approve all investigative plans, including those that propose the use of undercover activity. This approval must be obtained prior to conducting any specialized investigative techniques, including undercover activities and operations. In addition, investigators are required to consult with the Chief Operating Officer or designee and the General Counsel prior to engaging in any undercover operations. FAIS investigative plans establish the objective of an investigation and provide an estimate of the funding the team needs to support a specific investigation. If the method for providing funding is not specified in an investigative plan, FAIS determines, following initiation of the investigation, how to access the funds estimated in the investigative plan to achieve investigative objectives. In fiscal year 2012, FAIS received more than $50,000 for investigative activities through cash disbursements from the GAO imprest fund, an electronic transfer to a credit union account, and use of undercover charge cards. Assessment of the effectiveness of policies and procedures in ensuring management program, reporting, and compliance objectives is a way of identifying and mitigating risks. To assess the quality and reliability of its products, GAO includes investigations in its annual quality assurance reviews. Further, GAO performs an internal assessment of the effectiveness of internal controls generally consistent with the guidance of Office of Management and Budget’s (OMB) Circular A-123.[Footnote 12] As a legislative branch agency, GAO is not required to follow any OMB circulars, including OMB Circular A- 123 or its appendices. However, as a matter of policy, GAO has indicated that it generally would assess and report on the effectiveness of GAO’s internal controls consistent with the guidance of OMB Circular A-123. Weak Controls Heightened Vulnerability of Undercover Funds to Fraud, Waste, and Mismanagement: Our review of controls over FAIS undercover funds used primarily in fiscal year 2012 found no evidence of fraud or waste, but we did identify opportunities for enhancing financial management controls of undercover funds. Whether FAIS is using undercover funds obtained through checking accounts or charge cards, internal controls serve as the first line of defense in safeguarding assets and preventing and detecting errors and fraud. Prior Year Funds Were Improperly Used and Retained for Undercover Operations and Gaps Were Identified in Policies and Procedures for Ensuring Accountability over Undercover Funds Between September and November 2011, FAIS received $40,900 in fiscal year 2011 funds for two undercover investigations. FAIS properly spent $29,227.19, or about three-fourths, of the $40,900 in fiscal years 2011 and 2012. However, our analysis showed that FAIS improperly used $3,966.25 in expired fiscal year 2011 funds to make payments, and improperly retained $7,160.34 in expired fiscal year 2011 funds after the investigations were closed. (See figure 1.) Figure 1: FAIS's Use of $40,900 in Fiscal Year 2011 Funds Provided for Two Investigations: [Refer to PDF for image: pie-chart] Payments Properly Made with FY 2011 Funds: $29,227,19; Payments Improperly Made with FY 2011 Expired Funds: $3,966,25; Expired FY 2011 Funds Improperly Retained: $7,160.34; FY 2011 Funds Returned to GAO: $546.22. Source: OIG analysis of FAIS-provided data. Note: The two investigations were GAO, DOD Supply Chain: Suspect Counterfeit Electronic Parts Can Be Found on Internet Purchasing Platforms, [hyperlink, http://www.gao.gov/products/GAO-12-375] (Washington, D.C.: Feb. 21, 2012) and For-Profit Schools: Experiences of Undercover Students Enrolled in Online Classes at Selected Colleges, [hyperlink, http://www.gao.gov/products/GAO-12-150] (Washington, D.C.: Oct. 31, 2011). [End of figure] Prior Year Funds Were Improperly Used: An agency may spend or obligate its fiscal year appropriation only to meet a bona fide need arising in the fiscal year for which the funds were appropriated.[Footnote 13] Our analysis showed that FAIS investigators improperly spent $3,966.25 in expired fiscal year 2011 funds for one investigation in fiscal year 2012. For the second investigation, we found that FAIS investigators had established a bona fide need for using fiscal year 2011 funds to make payments totaling $27,068.84 in fiscal year 2012. To fund FAIS’s counterfeit military parts investigation,[Footnote 14] GAO’s Financial Management (FM) office provided FAIS a total of $10,900 within the last four days of fiscal year 2011 (September 27- 30) from the GAO imprest fund.[Footnote 15] As required, this disbursement of funds occurred after the FAIS Oversight Board approved the investigative plan on September 20, 2011. On September 29, 2011, the then FAIS managing director and an investigator opened credit union accounts. Of the $10,900 provided by GAO, FAIS kept $1,400 in cash to support immediate payments to vendors and deposited the remaining $9,500 into a credit union checking account it opened. FAIS investigators made a total of 14 undercover payments using fiscal year 2011 funds between September and December 2011 (fiscal years 2011 and 2012).[Footnote 16] For 8 of the 14 payments, FAIS investigators established a bona fide need for using fiscal year 2011 funds by reaching agreements with vendors regarding purchase terms and conditions (e.g., the number, condition, and price of the parts). The 8 payments totaled $2,158.35; of those, 5 payments totaling $950.80 were made in fiscal year 2011, and 3 totaling $1,207.55 were made in early October 2011 (fiscal year 2012). The remaining 6 payments totaling $3,966.25 were made in fiscal year 2012, but FAIS investigators did not have a bona fide need to use fiscal year 2011 funds because they had not reached agreements regarding purchase terms and conditions in fiscal year 2011. Therefore, FAIS was legally required to use fiscal year 2012, not fiscal year 2011, funds to make these 6 payments. After the 14 payments were made, FAIS investigators retained the remaining $4,775.40 ($4,660.75 in its checking account and $114.65 in cash held by an investigator). Figure 2 provides a timeline depicting the use and retention of fiscal year 2011 funds for the counterfeit military parts investigation. Figure 2: Timeline Showing Use and Retention of Fiscal Year 2011 Funds for Counterfeit Military Parts Investigation: [Refer to PDF for image: timeline] FY 2011: September 27: $900 in FY 2011 funds received from GAO imprest fund and retained in cash. September 28-30: Five payments totaling $950.80 made. Bona fide need established for three more purchases to use FY 2011 funds. September 29: $10,000 in FY 2011 funds received from GAO imprest fund. $9,500 deposited into credit union account and $500 retained in cash. October 4-December 1: Three payments totaling $1,207.55 made with bona fide need established to use FY 2011 funds. Six payments totaling $3,966,25 made without bona fide need established to use FY 2011 funds. FY 2012: February 21: Investigation closed. $4,775.40 in expired FY 2011 funds remained. FY 2013: May 1: Credit union account closed. Funds returned to Treasury. Source: OIG analysis of FAIS-provided data. Note: Information in this figure relates to GAO, DOD Supply Chain: Suspect Counterfeit Electronic Parts Can Be Found on Internet Purchasing Platforms, [hyperlink, http://www.gao.gov/products/GAO-12-375] (Washington, D.C.: Feb. 21, 2012). [End of figure] GAO attorneys told us that they had advised FM and FAIS managers and staff about the risk of a bona fide need violation in 2006 or 2007 when FAIS had previously used a checking account for an investigation. Although advised of the risk of a bona fide need violation, neither FM nor FAIS updated their policies and procedures to inform their staff on how to prevent and detect bona fide need violations. In the absence of such written policies and procedures, FAIS requested, and FM provided, $10,900 in the last four days of fiscal year 2011. The FAIS investigator responsible for the checking account had no knowledge of the bona fide need requirement. In response to our audit, FM has made accounting adjustments to record the expenditures in the appropriate fiscal year to remedy the bona fide need violations.[Footnote 17] For the for-profit schools investigation,[Footnote 18] FM appropriately provided FAIS in early fiscal year 2012 with $30,000 in fiscal year 2011 funds because FAIS investigators had established a bona fide need for these funds when they took out nine student loans in fiscal year 2011. FAIS deposited the entire $30,000 into its checking account and made nine payments totaling $27,068.84 in fiscal year 2012 to pay off the student loans.[Footnote 19] Following its first student loan payment in October 2011, FAIS returned $546.22 to FM. After making all nine student loan payments, FAIS retained the remaining $2,384.94 in its checking account. Figure 3 provides a timeline depicting the use and retention of fiscal year 2011 funds for the for-profit schools investigation. Figure 3: Timeline Showing Use and Retention of Fiscal Year 2011 Funds for For-Profit Schools Investigation: [Refer to PDF for image: timeline] FY 2011: November 20, 2010-January 18, 2011: Nine student loans taken out, establishing bona fide need for FY 2011 funds. October 28: Paid off one student loan totaling $4,453.78 with FY 2011 funds and returned $546.22 in excess funds to the GAO imprest fund. FY 2012: October 28, 2011: $5,000 in FY 2011 funds received for GAO imprest fund and deposited into credit union account. October 31, 2011: Investigation closed. November 29, 2011-December 12, 2011: Paid off eight student loans totaling $22,615,06 with FY 2011 funds. $2,384.94 in expired FY 2011 funds remained in the credit union account. FY 2013: May 1: Credit union account closed. Funds returned to Treasury. Source: OIG analysis of FAIS-provided data. Note: Information in this figure relates to GAO, For-Profit Schools: Experiences of Undercover Students Enrolled in Online Classes at Selected Colleges, [hyperlink, http://www.gao.gov/products/GAO-12-150] (Washington, D.C.: Oct. 31, 2011). [End of figure] In December 2011 (fiscal year 2012), after all payments were made for both investigations, the checking account held $7,045.69 and an investigator held $114.65 in cash of expired fiscal year 2011 funds. A year later in December 2012 (fiscal year 2013), the credit union assessed a $10 fee and deducted it from the balance of the expired funds remaining in the checking account. Because FAIS had not established a bona fide need in fiscal year 2011 to pay the $10 fee, FAIS was legally required to use fiscal year 2013, not fiscal year 2011, funds to pay the fee. Prior Year Funds Were Improperly Retained: Annual appropriations are available only to meet bona fide needs of the fiscal year for which they were appropriated, and unobligated funds remaining at the end of the appropriation period must be returned to the general fund of the Treasury. In addition, FAIS’s policy requires that all remaining funds at the end of an investigation be returned to the GAO imprest fund.[Footnote 20] Our work showed that FAIS did not fully comply with these requirements for the two investigations that used the credit union checking account and improperly retained expired fiscal year 2011 funds totaling $7,160.34. Specifically, FAIS did not return $4,775.40 in expired funds when the counterfeit military parts investigation was completed in February 2012 or at the end of fiscal year 2012. In addition, FAIS did not return $2,384.94 in expired funds after making its last student loan payment in December 2011, which was more than one month after FAIS completed its for-profit schools investigation. According to the FM Director, if the funds had been recorded as an advance, as appropriate, FM’s financial management system would have prompted FM staff at the end of fiscal years 2011 and 2012 to contact FAIS regarding the status of the funds. In response to our audit, FM and FAIS have taken steps to strengthen accountability and oversight of funds provided for investigative activities. For example, following closure of the GAO imprest fund, FM worked with FAIS to develop and implement new procedures in February 2014 to help ensure that accountability over investigative funds is maintained.[Footnote 21] Under these new procedures, an FAIS manager will review monthly statements and provide FM with a statement certifying the accuracy of expenditures made in support of an investigative activity or operation. FAIS staff said that they were unaware of the statutory requirement to return expired funds or FAIS’s policy requiring that any remaining funds be returned at the end of an investigation. FAIS directors stated that they are in the process of addressing this issue. Specifically, after the revised draft policies and procedures are approved, FAIS staff will be required to annually review and confirm their understanding of guidance contained in these documents. Key Decisions Regarding the Use of Cash for One Investigation Were Not Documented: Supervisory approval is a key control for ensuring accountability of funds, including decisions to retain or withdraw cash during investigations. Our work showed that an FAIS investigator retained and withdrew cash from the checking account for the counterfeit military parts investigation without documentation of management approval. In addition, we determined that FAIS did not establish policies or procedures regarding written management approvals to use or retain funds from a checking account. In the absence of written policies and procedures, the investigator responsible for the checking account confirmed that the team did not use a written approval process for its checking account. He also stated that the then FAIS managing director was fully aware of and had given oral approval to withdraw cash to make the purchases and retain funds from the checking account. After a new managing director assumed responsibility for FAIS in October 2012, the Director of Investigations initiated a reconciliation of FAIS’s checking account to supporting documentation. During the reconciliation, FAIS managers became aware that cash amounts ranging from $61.75 to $1,014 had been retained outside the account over the course of the counterfeit military parts investigation. Moreover, when the last payment for this investigation was made in December 2011, $114.65 in cash remained outside of the account. The responsible investigator deposited $115 into the checking account on March 22, 2013. FAIS closed the account on May 1, 2013, and returned $7,159.69 to Treasury. In response to our work, FAIS revised, in January 2014, its form for documenting management approval to make investigative purchases to include approval of cash withdrawals from checking accounts to make undercover purchases. Gaps Existed in FAIS Policies and Procedures for Ensuring Accountability of Undercover Funds in Checking Account: We identified gaps in FAIS policies and procedures regarding how to use and safeguard undercover funds disbursed through a checking account. Policies and procedures we identified that were relevant to the use of a checking account were in FAIS’s Investigation Manual’s chapter on imprest funds. The imprest fund chapter establishes policy requiring that all remaining funds from FAIS investigations be returned to the GAO imprest fund after the investigation is completed, and it provides procedures for how to obtain cash from this imprest fund. However, the chapter provides no guidance regarding the roles and responsibilities of FAIS staff and managers for safeguarding these funds or for ensuring compliance with the bona fide needs statute. The chapter also does not identify policies or procedures for how to open a checking account or whether written management approvals are required to use or retain cash. We believe the lack of policies and procedures regarding how to open credit union accounts, including requirements consistent with federal appropriations law, may have contributed to the then FAIS managing director making an improper donation of personal funds to open credit union accounts in September 2011.[Footnote 22] Using personal funds, regardless of the amount, to open these accounts improperly augmented GAO’s appropriation.[Footnote 23] In addition, FAIS policy requires, at the end of an investigation, the preparation of a document that provides a cost breakdown of the funds that have been spent and, if appropriate, a notation of any unused funds that will be returned to the GAO imprest fund. FAIS staff prepared cost breakdown worksheets for both the counterfeit military parts and for-profit schools investigations. However, only the for- profit schools investigation worksheet identified the use of a credit union account, and neither of the worksheets prepared for the two investigations identified funds retained following completion of the investigation. A policy that requires returning funds to the GAO imprest fund only after an investigation is completed and not at the end of the fiscal year may result in the improper use and retention of expired funds, particularly if staff and managers are unaware of how to ensure compliance with applicable appropriation laws such as the bona fide need statute. We also found that FAIS’s policies and procedures do not identify other means of obtaining funds, such as electronic transfers. According to the FM director, GAO closed its imprest fund in December 2013. Although the GAO imprest fund is now closed, FAIS investigators may need to access cash for investigative activities in the future. As a result, the need for updated and complete policies and procedures remains. In response to our work, FAIS has revised its policies and procedures regarding how to use and safeguard undercover funds disbursed through a checking account. The revised policies and procedures explain, among other things, the roles and responsibilities of FAIS staff and managers in safeguarding funds and opening a checking account, the extent to which written management approvals are required to use or obtain funds, the mechanisms for overseeing and monitoring funds, and detailed process to account for funds and return any unused funds after the authorized investigative activity has been completed. According to the FAIS Director of Investigations, these policies and procedures will be distributed and affected staff will be trained as soon as they are finalized. In March 2014, FAIS’s investigative assistant directors received training on these policies and procedures and have begun implementing them through oral instruction to staff. Controls over Use and Payment of Undercover Charge Cards Were Ineffective: FAIS controls were ineffective in preventing the use of undercover charge cards prior to the FAIS Oversight Board’s approval of the investigative plan and FAIS management approval to make a purchase. In addition, FAIS oversight and monitoring of undercover charge card usage was ineffective in ensuring that charge card bills were paid timely and that cards were used in a manner that was consistent with GAO’s general acquisition and property management policies.[Footnote 24] Further, FAIS’s policies and procedures for undercover charge cards are outdated and incomplete. Half of the Undercover Charge Card Purchases That Required An Approved Investigative Plan Were Made Before Plan Approval: GAO and FAIS policies[Footnote 25] require written approval of an investigative plan prior to conducting any investigative actions, such as undercover charge card purchases. To obtain approval of an investigative plan, FAIS must have signatures from all FAIS Oversight Board members as well as from FAIS’s Managing Director, Director of Investigations, responsible assistant director, and investigator. Of the ten undercover card purchases (totaling $5,026.18) requiring an approved investigative plan, our analysis showed that five occurred after written approval of the plan, as required, and five did not. Four of the five purchases, totaling $2,930.83, made without the requisite approved plan occurred while the FAIS Oversight Board was reviewing the investigative plan. For one of the four purchases, we also determined that, while FAIS did not have an approved investigative plan, the investigator had obtained oral approval from GAO executives prior to making the purchase. The one remaining purchase made without an approved investigative plan occurred 50 days prior to board approval. This purchase, totaling $245.54, also occurred prior to receipt of FAIS management approval authorizing use of an undercover charge card – another requirement for the purchase. Our review of the documentation associated with this purchase and consultation with the Assistant General Counsel to FAIS did not identify any reason this purchase should have occurred prior to requisite approvals. In response to our work, FAIS has modified the form it uses to document management approval to use an undercover charge card to include an electronic link to the approved investigative plan, when applicable, to help ensure that all requisite approvals are obtained. Control over the Use of Undercover Charge Cards Was Not Maintained: To safeguard its undercover charge cards, FAIS centrally controlled access to the cards and restricted their use to its investigators and undercover charge card coordinator. Following receipt of written authorization from a manager (or designee) to use an undercover charge card, the coordinator provided an authorized investigator with a card and recorded transfer of accountability for the card to the investigator in the FAIS control log. Our work showed that these controls did not go far enough in tracking or controlling the use of undercover charge cards. For example, our analysis showed that 6 of the 14 management approvals granted in fiscal year 2012 had occurred after the card was used. FAIS policy requires an approved investigative plan, when applicable, and written management approval to make a purchase prior to use of an undercover charge card. However, we found that FAIS spent $1,725.86 (almost 19 percent) of the total $9,206.42 without prior management approval. These purchases included expenditures made to set up websites, rent mailboxes, reactivate cell phones, and make undercover purchases of items as potential evidence. In addition, we found that an investigator gave an undercover charge card to an unauthorized individual who used the card to make two purchases for an investigation. The investigator acknowledged that the card should have never left his control and that he could have made the purchases himself. Our analysis also showed that four purchases totaling $784.54 were charged to accounts of undercover charge cards that were not checked out during the purchase period. These purchases included mailbox rentals, purchases of cell phone minutes, and an undercover purchase of items as potential evidence. According to the Director of Investigations, these cards had been used for many years and investigators knew the basic card information (name, account number, and expiration date). In fiscal year 2013, FAIS canceled its undercover charge cards and replaced them with new ones to address this familiarity risk. One Monthly Statement Was Not Paid Promptly: FAIS policies and procedures[Footnote 26] require the undercover charge card coordinator to reconcile monthly charge card bank statements, within two days of receipt, to supporting documentation and to submit this information to an approving official for review and approval for payment. In addition, the Prompt Payment Act,[Footnote 27] which applies to the contract FAIS used to obtain its undercover cards, requires timely payment of bills upon receipt of a valid invoice. Further, the Prompt Payment Act assesses late interest penalties against agencies that pay vendors after a payment due date. However, our analysis showed that $344.40 in charges shown on FAIS’s June 2012 statement were not paid until August 2012. The coordinator said a heavy workload delayed the monthly reconciliation and approval of this statement for payment. While FAIS had access to reports identifying undercover charge card transactions, it lacked effective monitoring controls to ensure that charge card statements were paid timely. Although GAO’s late payment was not in compliance with the Prompt Payment Act, we confirmed that no interest penalty was due to the vendor. Undercover Charge Cards Were Used to Pay for Information Technology Services and Equipment: GAO policy[Footnote 28] requires all agency procurement of information technology hardware, software, telecommunications, and services to be coordinated through Information Systems and Technology Services (ISTS). ISTS’s telecommunications manager clarified that GAO staff are required to coordinate all purchases of information technology equipment with ISTS to ensure that (1) the need for the equipment cannot be met through existing inventory, (2) GAO offices take advantage of central procurement and inventory processes, and (3) equipment purchases are identified in GAO inventory for tracking and maintenance purposes. Our analysis of undercover charge cards showed that FAIS did not follow GAO policy when it used its cards to pay monthly bills for two telephone lines and to purchase a fax machine without coordinating with ISTS. According to ISTS’s telecommunications manager, ISTS is responsible for contracting for and paying for GAO telephone lines and information technology equipment, including fax machines. FAIS’s Director of Investigations was unaware of GAO’s requirement to coordinate with ISTS or why FAIS was using an undercover charge card to pay for its telephone lines. In response to our work, FAIS’s Director of Investigations stated that he has canceled FAIS’s telephone lines and will coordinate with ISTS to obtain telephone services on an as-needed basis. Gaps Existed in FAIS Policies and Procedures for Undercover Charge Cards: Policies and procedures are important tools for establishing and communicating controls to staff. However, FAIS’s policies and procedures concerning undercover charge cards in effect for fiscal year 2012 did not reflect changes regarding the team’s use of charge cards.[Footnote 29] For example, the team no longer had purchase cards and instead used GAO’s acquisition management office to fulfill its general procurement needs. In 2009, FAIS replaced its purchase cards with undercover charge cards to better support investigative activities and operations. These cards provide FAIS investigators with greater purchase flexibility for undercover purposes by removing certain restrictions, such as single purchase limits, verification of price reasonableness, and prohibitions against use of the card to pay for travel expenses. However, we found that FAIS policies and procedures did not describe the process or controls to safeguard the physical cards and monitor their use to ensure compliance with authorization requirements. The FAIS revised draft policies and procedures for ensuring accountability over undercover funds, including the use of undercover charge cards, are in the final phase of review before they are made available to staff. FAIS’s Director of Investigations stated that staff will be trained following issuance of the new policies and procedures to FAIS staff. He also indicated that FAIS is in the process of finalizing an agreement with its card provider to replace its existing undercover charge cards with cards that will be issued to specific investigators and investigations on an as-needed basis. Under this agreement, when an FAIS investigation ends or the need for a charge card no longer exists, the card will be canceled. In addition, as discussed earlier, FAIS has revised its approval form to include an electronic link to an approved investigative plan. Key Factors Contributed to FAIS’s Weak Control Environment: Our work identified two key factors that we believe contributed to the weaknesses in FAIS’s control environment discussed earlier. These factors include: * The lack of an effective framework for ensuring that FAIS investigative policies and procedures, including those regarding accountability for undercover funds, are current, complete, and familiar to FAIS staff; and; * Ineffective oversight and monitoring to identify and respond to weaknesses in the overall control environment and activities pertaining to accountability for undercover funds. GAO Lacked an Effective Framework for Ensuring that FAIS Investigative Policies and Procedures Were Current and Complete: CIGIE’s Quality Standards for Investigations and GAO’s Standards for Internal Control in the Federal Government[Footnote 30] emphasize the importance of developing detailed policies and procedures to fit the agency’s operations, and training staff to ensure that these requirements are built into and become an integral part of operations. The standards also require that policies and procedures should be periodically reviewed for continued relevance and effectiveness and updated as needed. To ensure GAO policy remains current and relevant, GAO Order 0010.1, Government Accountability Office (GAO) Orders, Operational Directives, and Manuals[Footnote 31] requires that these important documents are reviewed and updated as appropriate every three years. GAO’s policy manual[Footnote 32] recognizes FAIS’s role in establishing and maintaining its policies and procedures by referring staff to FAIS for operational authorities and procedures governing investigations. However, an internal GAO inspection concluded that GAO’ s investigative policies and procedures were outdated and incomplete while acknowledging that efforts were under way to update these key documents.[Footnote 33] As previously discussed, we also found gaps in FAIS policies and procedures regarding accountability for undercover funds. Written policies and procedures for ensuring accountability over undercover funds aid management in establishing and communicating the “who, what, when, where, and why” of internal control execution to personnel. Given FAIS’s staff turnover, including four managing directors in three years, written policies and procedures and trained staff provide a means to retain organizational knowledge and mitigate the risk of having that knowledge limited to a few personnel. Documentation also provides a means to communicate policy and procedural information as needed to external parties such as external auditors. Our work identified a factor that may have contributed to the lack of progress in updating FAIS’s investigation manual and procedures. Specifically, the Infrastructure Operations office, which GAO Order 0010.1 designates as responsible for managing the agency’s orders, directives, and manuals, relies on the responsible mission team or unit to notify the Infrastructure Operations office when these documents need to be updated. GAO’s Order 0010.1 identifies mission teams, such as the Financial Management and Assurance team, as responsible for policies and procedures related to GAO engagements within their area of activity. However, the order does not identify FAIS among the organizational teams or units that have a manual or significant procedures that require periodic review. According to an Infrastructure Operations office manager, GAO is updating the order and its process for maintaining its policies and procedures. The lack of current and complete policies and procedures hinders FAIS management’s ability to effectively communicate and train staff on their individual roles and responsibilities for ensuring accountability of undercover funds. Although knowledgeable staff is an important component in ensuring compliance with investigative standards and GAO and FAIS specific requirements, our work identified uncertainty and confusion among FAIS staff and managers regarding policies and procedures. Moreover, key FAIS investigators and staff we interviewed stated that they had received little to no training from FM or FAIS regarding their specific roles and responsibilities for ensuring accountability of undercover funds. As previously discussed, FAIS’s policies and procedures for ensuring accountability over undercover funds are currently going through the agency’s review and approval process. FAIS’s Managing Director and Director of Investigations stated that, prior to issuing updated policies and procedures, the drafts must be coordinated and reviewed by several different units within GAO, such as the labor-management relations office, which reviews the drafts to determine whether an obligation to bargain with GAO’s employee union exists.[Footnote 34] As an interim step toward strengthening its procedures and ensuring appropriate accountability over undercover funds, FAIS’s Managing Director stated that FAIS has provided policy and procedural guidance to its managers (non-bargaining unit employees) who are now using it to direct FAIS staff. Once FAIS investigative policies and procedures are finalized, they will be provided to FAIS staff. In addition, FAIS’ s Director of Investigations stated that FAIS will ensure that all staff are fully trained on the new policies and procedures. Ineffective Oversight and Monitoring Increased Risks to Accountability of Undercover Funds: Ineffective oversight and monitoring also contributed to weaknesses in accountability of undercover funds. GAO voluntarily performs an internal assessment of the effectiveness of internal controls in its financial management operations and related activities. The Program Analysis and Operations (PAO) office conducts this assessment. Prior to May 2014, FAIS undercover funds were not included in these assessments. In response to our work and under the new procedures developed by FM, to ensure accountability over investigative funds, in May 2014, PAO initiated its first assessment of internal controls over FAIS transactions, including cash-based obligations and expenditures and related procedures. Prior to this assessment of controls, PAO’s monitoring of FAIS undercover funds consisted of periodic reviews of undercover charge card transactions, and were primarily limited to ensuring that payments had supporting documentation. Reviews of undercover charge card transactions were discontinued in 2012 at the direction of the then PAO Director. Financial Management and Business Operations staff stated that the sensitivity of FAIS operations has hindered their ability to oversee and monitor FAIS’s financial management of undercover funds. PAO’s director stated that improved cooperation and support within FAIS would facilitate more meaningful evaluations of FAIS controls. In response to our work, PAO’s director indicated that FAIS undercover funds would be included in a future internal assessment of internal controls. Recent Management Attention: In response to our audit, GAO and FAIS have taken or initiated a number of actions to mitigate the control risks identified in our audit. Specifically, FAIS has a comprehensive effort under way to revise and update existing policies and procedures, as well as institute additional internal and external controls for the proper administration and operations of its investigative programs, including those governing investigative funds. For example, FAIS has created specific policies and processes for obtaining, accounting for, and returning credit cards, bank accounts, and cash, as well as mechanisms for oversight and monitoring activities to ensure compliance with GAO and FAIS policies and applicable federal appropriations laws and regulations. In addition, FAIS has clarified roles and responsibilities for requesting, authorizing, and approving investigative funds to help ensure accountability and compliance with the Prompt Pay Act and other federal appropriations laws. For example, FAIS has identified the Director of Investigations as the authorizing official and the Assistant Director for Quality Assurance and Operations as the approving official regarding the use of undercover funds. Conclusion: Establishing appropriate internal controls concerning FAIS’s use of undercover funds is essential to help ensure they are used efficiently and effectively and accountability is maintained in compliance with applicable laws, regulations, and policies and procedures. FAIS recognizes the importance of controls regarding its investigative operations and activities and has a comprehensive effort under way to update its policies and procedures for ensuring accountability for undercover funds. Recommendations for Executive Action: To help ensure timely completion of FAIS’s efforts to strengthen its control framework and ensure accountability of undercover funds consistent with GAO policy, professional standards, and applicable statutes and regulations, we recommend that the Comptroller General direct FAIS’s Managing Director to take the following two actions: 1. expeditiously complete efforts to update and implement FAIS policies and procedures to ensure accountability of undercover funds and compliance with federal appropriations law. These policies and procedures should clearly document FAIS controls related to undercover funds, including methods available to obtain funds, approvals required, reporting requirements regarding the use of and status of funds, and oversight and monitoring activities for ensuring compliance, and; 2. provide FAIS investigators and others, as appropriate, training on the updated FAIS policies and procedures regarding accountability of undercover funds, including individual roles and responsibilities related to oversight and monitoring and control activities, for ensuring compliance with GAO and FAIS policies and appropriations law. In addition, we recommend that the Chief Administrative Officer direct the Director of Infrastructure Operations to update GAO Order 0010.1, Government Accountability Office (GAO) Orders, Operational Directives, and Manuals (July 1, 2013) to identify FAIS as the office of primary responsibility for forensic audit and investigative policies and procedures related to GAO’s engagements to help ensure these documents are updated, as needed. Agency Comments: The inspector general provided GAO with a draft of this report for review and comment. GAO provided written comments, which are reprinted in attachment I. GAO agreed with our recommendations and described actions taken to mitigate the control risks identified in our work and planned to address our recommendations. The agency also provided technical comments that we incorporated, as appropriate. Actions taken in response to our recommendations are expected to be reported to our office within 60 days. We are sending copies of this report to the other members of GAO’s Executive Committee (the Chief Operating Officer, Chief Administrative Officer/Chief Financial Officer, and General Counsel), GAO’s Audit Advisory Committee, and other key managers. The report is also available on the GAO website at [hyperlink, http://www.gao.gov/about/workforce/ig.html]. If you or your staff have any questions about this report, please contact me at (202) 512-5748 or trzeciaka@gao.gov. Key contributors to this report were Evelyn Logue, Cathy Helm, Cynthia Hogue, and Matthew Hunter. Attachment: [End of section] Attachment I: Comments from the U.S. Government Accountability Office: U.S. Government Accountability Office: GAO: 441 G St. N.W. Washington, D.C. 20548: Date: April 11, 2014: To: Adam Trzeciak, Inspector General: From: [Signed by] Karl J. Maschino, Chief Administrative Officer: Subject: Agency comments on draft report on undercover funds (01G-14- 1): Thank you for the opportunity to review and comment on draft report 01G-14-1. I appreciate the professionalism and courtesy with which you and your staff conducted this audit We recognize, as your report mentions, that appropriate internal controls are essential to ensure that investigative funds are used efficiently and effectively. I am pleased to report that GAO's Forensic Audits and Investigative Service (FAIS) team has completed several key actions to mitigate the control risks noted in your report, and has others substantially underway. Specifically, FAIS has updated its operating policies and procedures for investigations, including its procedure for using investigative funds, which are in the clearance and bargaining process with the employee union. Upon final approval, the FAIS Managing Director will ensure that all investigative staff are fully trained on the new policies and procedures. In the meantime, investigative staff are receiving clear and consistent direction, instruction, and guidance on the completion of the duties and requirements of their positions. FAIS investigative managers received training on the revised investigative funds policy and procedures in March 2014. Per its policies and procedures, FAIS has also clarified roles and responsibilities for requesting, authorizing, and approving investigative funds, and the Agency Point of Contact (APC) duties for investigative funds have been reassigned from the administrative level to the management level. FAIS is also working with the Office of Acquisition Management to explore alternative mechanisms for administering investigative funds. In addition, Financial Management and Business Operations (FMBO), in consultation with FAIS, finalized a standard operating procedure (SOP) in February 2014 for FMBO support of investigative activities. Among other things, the SOP establishes procedures for obtaining cash advances for investigative activities and implements monthly and annual reviews by FMBO's Financial Management Office (FM) of those advances. FMBO/FM has already begun providing monthly reports of any outstanding cash advances to FAIS for use in the oversight of investigative funds. The SOP also provides for quarterly internal control reviews of FAIS transactions, including cash-based obligations and expenditures and related procedures, by FMBO's Program Analysis Office (PAO), the unit responsible for the assessment of and reporting on the effectiveness of GAO's internal controls. The first of these reviews was completed in March 2014. Finally, we have begun the process of updating GAO Order 0010.1, "Government Accountability Office (GAO) Orders, Operational Directives, and Manuals" to identify FAIS as the office of primary responsibility for forensic audit and investigative policies and procedures related to GAO's engagements. FAIS will work with the Chief Administrative Office to update GAO Order 0130.1.5, "Forensic Audits and Special Investigations" to reflect changes to FAIS policies once the relevant policy chapters have been finalized and implemented. I am confident that the completed and planned actions listed above have and will significantly improve our internal controls over FAIS investigative funds. If you have any questions please contact me on (202) 512-5800. cc: Patricia Dalton, COO: Susan Poling, GC: Cheryl Whitaker, DCAO: William Anderson, Controller: Stephen Lord, FAIS: Wayne McElrath, FAIS: Adebiyi Adesina, FMBO: Peter Rudman, FM: Adrienne Walker, PAO: Cathy Helm, OIG: [End of section] Reporting Fraud, Waste, and Abuse in GAO’s Internal Operations: To report fraud and other serious problems, abuses, and deficiencies relating to GAO programs and operations, do one of the following. (You may do so anonymously.) * Call toll-free (866) 680-7963 to speak with a hotline specialist, available 24 hours a day, 7 days a week. * Online at: [hyperlink, https://OIG.alertline.com]. Obtaining Copies of OIG Reports and Testimony: To obtain copies of OIG reports and testimony, go to GAO’s website: [hyperlink, http://www.gao.gov/about/workforce/ig.html]. [End of section] Footnotes: [1] FAIS defines undercover operations as any investigation involving a series of undercover activities over a period of time. An undercover activity is defined as an investigative activity involving the use of an assumed name or cover identity. [2] See 31 U.S.C. §§ 712(1), (4); 717(b). [3] Financial Management and Business Operations provide services that support GAO teams and offices through four program offices: Acquisition Management, Budget Office, Financial Management, and Program Analysis and Operations. [4] Program Analysis and Operations is responsible for the annual assessment and reporting on the effectiveness of GAO’s internal controls, including those related to financial systems and related processes. [5] GAO, DOD Supply Chain: Suspect Counterfeit Electronic Parts Can Be Found on Internet Purchasing Platforms, [hyperlink, http://www.gao.gov/products/GAO-12-375] (Washington, D.C.: Feb. 21, 2012) and For-Profit Schools: Experiences of Undercover Students Enrolled in Online Classes at Selected Colleges, [hyperlink, http://www.gao.gov/products/GAO-12-150] (Washington, D.C.: Oct. 31, 2011). [6] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [7] GAO, GAO Policy Manual—January 1, 2008 Version (Updated December 2012). [8] Forensic Audits and Special Investigations, GAO Order 0130.1.5 (July 22, 2010); GAO, Managing Director of Forensic Audits and Special Investigations, FSI Request for Waiver of Select GAO Purchase Card Requirements, memorandum to the Chief Administrative Officer (Apr. 21, 2009); and FAIS Investigation Manual, Section 1 - Protocols, Chapter 6, Forensic Audits and Special Investigations (FSI), General Protocols and Procedures Related to GAO’s Imprest Fund (Nov. 2, 2006) and Chapter 7, Forensic Audits and Special Investigations (FSI), Protocols and Procedures Related to the Use of Purchase and Travel Cards. No date was reflected for the manual or chapter 7. [9] Council of the Inspectors General on Integrity and Efficiency, Quality Standards for Investigations (Nov. 15, 2011). [10] GAO Order 0130.1.5; Management’s Responsibility for Internal Control, GAO Order 0201.3 (Aug. 23, 2006); Administrative Control of Funds, GAO Order 0211.1 (Aug. 27, 2011); Definition and Use of Imprest Funds, GAO Order 0215.2 (Dec. 12, 2006); and GAO Policy Manual, Section 315: Consultations with Experts and Specialists, Part C - Forensic Audits and Investigative Service. [11] Members of the FAIS Oversight Board include GAO’s Chief Operating Officer, General Counsel, Chief Quality Officer, and the Managing Director of Applied Research and Methods. [12] OMB Circular No. A-123 Revised, Management’s Responsibility for Internal Control (Dec. 21, 2004). [13] 31 U.S.C. § 1502 (a). [14] [hyperlink, http://www.gao.gov/products/GAO-12-375]. [15] GAO made cash disbursements from the GAO imprest fund of $900 on September 27, 2011, and $10,000 on September 29, 2011—one day prior to year-end. [16] These payments were for 16 counterfeit military parts purchases from 13 vendors. [17] After the end of the period of availability, the account remains open for up to five years. During this period before the account is closed, it remains available for recording, adjusting, and liquidating obligations properly chargeable to that account. 31 U.S.C. §§ 1552(a), 1553. [18] [hyperlink, http://www.gao.gov/products/GAO-12-150]. [19] On October 28, 2011 (fiscal year 2012), FM provided FAIS with $5,000 in fiscal year 2011 funds from the GAO imprest fund. On November 21, 2011, FM made an electronic transfer of $25,000 in fiscal year 2011 funds to FAIS’s checking account. [20] FAIS Investigation Manual, Section 1, Chapter 6. [21] GAO Office of Financial Management, FMBO Support for Investigative Activities (Feb. 28, 2014). [22] The $10 donation included a lifetime credit union membership fee of $1 and a deposit of $4 into a checking account and $5 into a savings account. [23] See GAO Principles of Appropriation Law, 6-163 (which cites 31 U.S.C. 3302(b); 31 U.S.C. 1301(a); and Comptroller General decisions holding that an agency may not circumvent limitations by augmenting its appropriations from sources outside the government). [24] U.S. Government Accountability Office Procurement Guidelines, GAO Order 0625.1 (May 7, 2009); and Control of Capitalized and Other Accountable Personal Property, GAO Order 0621.3 (Aug. 3, 2012). [25] GAO Policy Manual, Section 315, Part C; GAO Order 0130.1.5; and FAIS Investigation Manual, Section 1, Chapter 6 and Chapter 1, Forensic Audits and Special Investigations (FSI): General Protocols and Procedures For Performing Work Related to Forensic Audits and Investigations (no date). [26] GAO, Managing Director of Forensic Audits and Special Investigations, memorandum to the Chief Administrative Officer (Apr. 21, 2009); and FAIS Investigation Manual, Section 1, Chapter 7. [27] 31 U.S.C. § 3901, et seq. [28] GAO Order 0625.1. [29] GAO, Managing Director of Forensic Audits and Special Investigations, memorandum to the Chief Administrative Officer (Apr. 21, 2009); and FAIS Investigation Manual, Section 1, Chapter 7. [30] CIGIE, Quality Standards for Investigations; and GAO Standards for Internal Control in the Federal Government. [31] GAO, Government Accountability Office (GAO) Orders, Operational Directives, and Manuals, Order 0010.1 (July 1, 2013). [32] Section 315, Part C. [33] GAO, Results of 2010 FAIS Engagement Review (Jan. 20, 2012). [34] GAO Employees Organization, International Federation of Professional and Technical Engineers (IFPTE, Local 1921). [End of document]